
Summary
This rule is designed to identify potentially malicious attachments in inbound email messages that originate from unsolicited or suspicious authors. It specifically targets files and archives that contain embedded Microsoft Word documents (with extensions such as .doc, .docx, .docm, etc.) authored by a user identified as 'root'. The rule operates under two primary conditions: firstly, it scans for the presence of suspiciousattachments containing Word files or common archive formats, and checks for the specific author 'root' within the document properties. Secondly, it evaluates the sender's profile; it flags any files sent from sources that are not recognized or previously solicited. Additionally, if the sending profile has previously been flagged for sending malicious or spam messages, it acts as a further validation that the current message is suspicious, ensuring that false positives are minimized. Overall, the rule enhances threat detection by leveraging detailed file analysis of attachments and sender reputation insights, addressing a common tactic used in ransomware and malware distribution.
Categories
- Endpoint
- Network
- Web
- Application
Data Sources
- File
- User Account
- Application Log
Created: 2021-12-01